fix: mend auth cookie name stutter

Signed-off-by: Xe Iaso <me@xeiaso.net>
2026-04-08 09:38:45 +00:00 · 2025-09-19 16:49:38 +00:00
17 changed files with 21 additions and 350 deletions
--- a/.github/workflows/smoke-tests.yml
+++ b/.github/workflows/smoke-tests.yml
@@ -14,7 +14,6 @@ jobs:
    strategy:
      matrix:
        test:
-          - double_slash
          - forced-language
          - git-clone
          - git-push
--- a/.github/workflows/ssh-ci.yml
+++ b/.github/workflows/ssh-ci.yml
@@ -19,7 +19,7 @@ jobs:
          - riscv64
          - ppc64le
          - aarch64-4k
-          - aarch64-16k
+          # - aarch64-16k
    steps:
      - name: Checkout code
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
--- a/cmd/anubis/main.go
+++ b/cmd/anubis/main.go
@@ -68,7 +68,7 @@ var (
 	slogLevel                = flag.String("slog-level", "INFO", "logging level (see https://pkg.go.dev/log/slog#hdr-Levels)")
 	stripBasePrefix          = flag.Bool("strip-base-prefix", false, "if true, strips the base prefix from requests forwarded to the target server")
 	target                   = flag.String("target", "http://localhost:3923", "target to reverse proxy to, set to an empty string to disable proxying when only using auth request")
-	targetSNI                = flag.String("target-sni", "", "if set, TLS handshake hostname when forwarding requests to the target, if set to auto, use Host header")
+	targetSNI                = flag.String("target-sni", "", "if set, the value of the TLS handshake hostname when forwarding requests to the target")
 	targetHost               = flag.String("target-host", "", "if set, the value of the Host header when forwarding requests to the target")
 	targetInsecureSkipVerify = flag.Bool("target-insecure-skip-verify", false, "if true, skips TLS validation for the backend")
 	targetDisableKeepAlive   = flag.Bool("target-disable-keepalive", false, "if true, disables HTTP keep-alive for the backend")
@@ -83,7 +83,6 @@ var (
 	versionFlag              = flag.Bool("version", false, "print Anubis version")
 	publicUrl                = flag.String("public-url", "", "the externally accessible URL for this Anubis instance, used for constructing redirect URLs (e.g., for forwardAuth).")
 	xffStripPrivate          = flag.Bool("xff-strip-private", true, "if set, strip private addresses from X-Forwarded-For")
-	customRealIPHeader      = flag.String("custom-real-ip-header", "", "if set, read remote IP from header of this name (in case your environment doesn't set X-Real-IP header)")

 	thothInsecure        = flag.Bool("thoth-insecure", false, "if set, connect to Thoth over plain HTTP/2, don't enable this unless support told you to")
 	thothURL             = flag.String("thoth-url", "", "if set, URL for Thoth, the IP reputation database for Anubis")
@@ -236,28 +235,23 @@ func makeReverseProxy(target string, targetSNI string, targetHost string, insecu

 	if insecureSkipVerify || targetSNI != "" {
 		transport.TLSClientConfig = &tls.Config{}
-	}
-	if insecureSkipVerify {
-		slog.Warn("TARGET_INSECURE_SKIP_VERIFY is set to true, TLS certificate validation will not be performed", "target", target)
-		transport.TLSClientConfig.InsecureSkipVerify = true
-	}
-	if targetSNI != "" && targetSNI != "auto" {
-		transport.TLSClientConfig.ServerName = targetSNI
+		if insecureSkipVerify {
+			slog.Warn("TARGET_INSECURE_SKIP_VERIFY is set to true, TLS certificate validation will not be performed", "target", target)
+			transport.TLSClientConfig.InsecureSkipVerify = true
+		}
+		if targetSNI != "" {
+			transport.TLSClientConfig.ServerName = targetSNI
+		}
 	}

 	rp := httputil.NewSingleHostReverseProxy(targetUri)
 	rp.Transport = transport

-	if targetHost != "" || targetSNI == "auto" {
+	if targetHost != "" {
 		originalDirector := rp.Director
 		rp.Director = func(req *http.Request) {
 			originalDirector(req)
-			if targetHost != "" {
-				req.Host = targetHost
-			}
-			if targetSNI == "auto" {
-				transport.TLSClientConfig.ServerName = req.Host
-			}
+			req.Host = targetHost
 		}
 	}

@@ -466,7 +460,6 @@ func main() {

 	var h http.Handler
 	h = s
-	h = internal.CustomRealIPHeader(*customRealIPHeader, h)
 	h = internal.RemoteXRealIP(*useRemoteAddress, *bindNetwork, h)
 	h = internal.XForwardedForToXRealIP(h)
 	h = internal.XForwardedForUpdate(*xffStripPrivate, h)
--- a/docs/docs/CHANGELOG.md
+++ b/docs/docs/CHANGELOG.md
@@ -13,7 +13,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 <!-- This changes the project to: -->

- Add `-custom-real-ip-header` flag to get the original request IP from a different header than `x-real-ip`.
 - Add `contentLength` variable to bot expressions.
 - Add `COOKIE_SAME_SITE_MODE` to force anubis cookies SameSite value, and downgrade automatically from `None` to `Lax` if cookie is insecure.
 - Fix lock convoy problem in decaymap ([#1103](https://github.com/TecharoHQ/anubis/issues/1103)).
@@ -29,8 +28,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Fixes concurrency problems with very old browsers ([#1082](https://github.com/TecharoHQ/anubis/issues/1082)).
 - Randomly use the Refresh header instead of the meta refresh tag in the metarefresh challenge.
 - Update OpenRC service to truncate the runtime directory before starting Anubis.
- Allow multiple consecutive slashes in a row in application paths ([#754](https://github.com/TecharoHQ/anubis/issues/754)).
- Add option to set `targetSNI` to special keyword 'auto' to indicate that it should be automatically set to the request Host name ([424](https://github.com/TecharoHQ/anubis/issues/424)).

 ### Bug Fixes

--- a/docs/docs/admin/caveats-xff.mdx
+++ b/docs/docs/admin/caveats-xff.mdx
@@ -20,8 +20,6 @@ Upstream: X-Forwarded-For: CF_IP

 As a workaround, you should configure your web server to parse an alternative source (such as `CF-Connecting-IP`), or pre-process the incoming `X-Forwarded-For` with your web server to ensure it only contains the real client IP address, then pass it to Anubis as `X-Forwarded-For`.

-If you do not control the web server upstream of Anubis, the `custom-real-ip-header` command line flag accepts a header value that Anubis will read the real client IP address from. Anubis will set the `X-Real-IP` header to the IP address found in the custom header.
-
 The `X-Real-IP` header will be automatically inferred from `X-Forwarded-For` if not set, setting it explicitly is not necessary as long as `X-Forwarded-For` contains only the real client IP. However setting it explicitly can eliminate spoofed values if your web server doesn't set this.

 See [Cloudflare](environments/cloudflare.mdx) for an example configuration.
--- a/docs/docs/admin/installation.mdx
+++ b/docs/docs/admin/installation.mdx
@@ -76,7 +76,6 @@ Anubis uses these environment variables for configuration:
 | `COOKIE_DOMAIN`                | unset                   | The domain the Anubis challenge pass cookie should be set to. This should be set to the domain you bought from your registrar (EG: `techaro.lol` if your webapp is running on `anubis.techaro.lol`). See this [stackoverflow explanation of cookies](https://stackoverflow.com/a/1063760) for more information.<br/><br/>Note that unlike `REDIRECT_DOMAINS`, you should never include a port number in this variable.                                                                                                                         |
 | `COOKIE_DYNAMIC_DOMAIN`        | false                   | If set to true, automatically set cookie domain fields based on the hostname of the request. EG: if you are making a request to `anubis.techaro.lol`, the Anubis cookie will be valid for any subdomain of `techaro.lol`.                                                                                                                                                                                                                                                                                                                      |
 | `COOKIE_EXPIRATION_TIME`       | `168h`                  | The amount of time the authorization cookie is valid for.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
-| `CUSTOM_REAL_IP_HEADER`        | unset                   | If set, Anubis will read the client's real IP address from this header, and set it in `X-Real-IP` header.                                                                                                                                                                                                                                                                                                                                                                                                                                      |
 | `COOKIE_PARTITIONED`           | `false`                 | If set to `true`, enables the [partitioned (CHIPS) flag](https://developers.google.com/privacy-sandbox/cookies/chips), meaning that Anubis inside an iframe has a different set of cookies than the domain hosting the iframe.                                                                                                                                                                                                                                                                                                                 |
 | `COOKIE_PREFIX`                | `anubis-cookie`         | The prefix used for browser cookies created by Anubis. Useful for customization or avoiding conflicts with other applications.                                                                                                                                                                                                                                                                                                                                                                                                                 |
 | `COOKIE_SECURE`                | `true`                  | If set to `true`, enables the [Secure flag](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#block_access_to_your_cookies), meaning that the cookies will only be transmitted over HTTPS. If Anubis is used in an unsecure context (plain HTTP), this will be need to be set to false                                                                                                                                                                                                                                          |
@@ -123,7 +122,7 @@ If you don't know or understand what these settings mean, ignore them. These are
 | `TARGET_DISABLE_KEEPALIVE`    | `false`       | If `true`, disables HTTP keep-alive for connections to the target backend. Useful for backends that don't handle keep-alive properly.                                                                                                                                                                                                                                                           |
 | `TARGET_HOST`                 | unset         | If set, overrides the Host header in requests forwarded to `TARGET`.                                                                                                                                                                                                                                                                                                                            |
 | `TARGET_INSECURE_SKIP_VERIFY` | `false`       | If `true`, skip TLS certificate validation for targets that listen over `https`. If your backend does not listen over `https`, ignore this setting.                                                                                                                                                                                                                                             |
-| `TARGET_SNI`                  | unset         | If set, TLS handshake hostname when forwarding requests to the `TARGET`. If set to auto, use Host header.                                                                                                                                                                                                                                                                                                                 |
+| `TARGET_SNI`                  | unset         | If set, overrides the TLS handshake hostname in requests forwarded to `TARGET`.                                                                                                                                                                                                                                                                                                                 |

 </details>

--- a/internal/headers.go
+++ b/internal/headers.go
@@ -38,22 +38,6 @@ func UnchangingCache(next http.Handler) http.Handler {
 	})
 }

-// CustomXRealIPHeader sets the X-Real-IP header to the value of a
-// different header.
-// Used in environments where the upstream proxy sets the request's
-// origin IP in a custom header.
-func CustomRealIPHeader(customRealIPHeaderValue string, next http.Handler) http.Handler {
-	if customRealIPHeaderValue == "" {
-		slog.Debug("skipping middleware, customRealIPHeaderValue is empty")
-		return next
-	}
-
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		r.Header.Set("X-Real-IP", r.Header.Get(customRealIPHeaderValue))
-		next.ServeHTTP(w, r)
-	})
-}
-
 // RemoteXRealIP sets the X-Real-Ip header to the request's real IP if
 // the setting is enabled by the user.
 func RemoteXRealIP(useRemoteAddress bool, bindNetwork string, next http.Handler) http.Handler {
--- a/lib/anubis_test.go
+++ b/lib/anubis_test.go
@@ -457,7 +457,7 @@ func TestBasePrefix(t *testing.T) {
 	}{
 		{
 			name:       "no prefix",
-			basePrefix: "",
+			basePrefix: "/",
 			path:       "/.within.website/x/cmd/anubis/api/make-challenge",
 			expected:   "/.within.website/x/cmd/anubis/api/make-challenge",
 		},
@@ -499,15 +499,9 @@ func TestBasePrefix(t *testing.T) {
 			}

 			q := req.URL.Query()
-			redir := tc.basePrefix
-			if tc.basePrefix == "" {
-				redir = "/"
-			}
-			q.Set("redir", redir)
+			q.Set("redir", tc.basePrefix)
 			req.URL.RawQuery = q.Encode()

-			t.Log(req.URL.String())
-
 			// Test API endpoint with prefix
 			resp, err := cli.Do(req)
 			if err != nil {
@@ -519,15 +513,8 @@ func TestBasePrefix(t *testing.T) {
 				t.Errorf("expected status code %d, got: %d", http.StatusOK, resp.StatusCode)
 			}

-			data, err := io.ReadAll(resp.Body)
-			if err != nil {
-				t.Fatalf("can't read body: %v", err)
-			}
-
-			t.Log(string(data))
-
 			var chall challengeResp
-			if err := json.NewDecoder(bytes.NewBuffer(data)).Decode(&chall); err != nil {
+			if err := json.NewDecoder(resp.Body).Decode(&chall); err != nil {
 				t.Fatalf("can't read challenge response body: %v", err)
 			}

@@ -548,7 +535,7 @@ func TestBasePrefix(t *testing.T) {
 				nonce++
 			}
 			elapsedTime := 420
-			redir = "/"
+			redir := "/"

 			cli.CheckRedirect = func(req *http.Request, via []*http.Request) error {
 				return http.ErrUseLastResponse
--- a/lib/config.go
+++ b/lib/config.go
@@ -107,7 +107,7 @@ func New(opts Options) (*Server, error) {
 		opts.ED25519PrivateKey = priv
 	}

-	anubis.BasePrefix = strings.TrimRight(opts.BasePrefix, "/")
+	anubis.BasePrefix = opts.BasePrefix
 	anubis.PublicUrl = opts.PublicUrl

 	result := &Server{
--- a/lib/http.go
+++ b/lib/http.go
@@ -279,12 +279,7 @@ func (s *Server) respondWithStatus(w http.ResponseWriter, r *http.Request, msg s
 }

 func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	if strings.HasPrefix(r.URL.Path, anubis.BasePrefix+anubis.StaticPath) {
-		s.mux.ServeHTTP(w, r)
-		return
-	}
-
-	s.maybeReverseProxyOrPage(w, r)
+	s.mux.ServeHTTP(w, r)
 }

 func (s *Server) stripBasePrefixFromRequest(r *http.Request) *http.Request {
--- a/lib/localization/locales/nn.json
+++ b/lib/localization/locales/nn.json
@@ -13,7 +13,7 @@
  "try_again": "Prøv att",
  "go_home": "Gå heim",
  "contact_webmaster": "eller om du synest at du ikkje burde vera blokkert, venlegast tak kontakt med administratoren på",
-  "connection_security": "Venlegast vent medan vi stadfester tryggleiken av tilkoplinga di.",
+  "connection_security": "Venlegast vent medan vi stadfestar tryggleiken av tilkoplinga di.",
  "javascript_required": "Du lyt diverre slå på JavaScript for å koma deg forbi denne utfordringa. Dette krevst av di KI-selskap har endra sosialkontrakten om korleis nettstadsverting fungerer. Ei ikkje-JS-løysing er i gang med å skapast.",
  "benchmark_requires_js": "JavaScript må vera slegen på for å køyre samanlikningsverktøyet.",
  "difficulty": "Vanskenivå:",
@@ -41,7 +41,7 @@
  "oh_noes": "Å nei!",
  "benchmarking_anubis": "Samanliknar Anubis!",
  "you_are_not_a_bot": "Du er ikkje ein bot!",
-  "making_sure_not_bot": "Stadfester at du ikkje er ein bot!",
+  "making_sure_not_bot": "Stadfestar at du ikkje er ein bot!",
  "celphase": "CELPHASE",
  "js_web_crypto_error": "Nettlesaren din har ikkje eit fungerande web.crypto-element. Ser du dette med ei sikker tilkopling?",
  "js_web_workers_error": "Nettlesaren din støttar ikkje nettarbeidarar (Anubis brukar dette for å unngå å fryse nettlesaren din). Har du eit tillegg som JShelter installert?",
@@ -63,4 +63,4 @@
  "js_calculation_error_msg": "Mislukkast i å rekne utfordring:",
  "missing_required_forwarded_headers": "Manglende nødvendige X-Forwarded-* headers",
  "simplified_explanation": "Dette er eit tiltak mot robotar og vondsinna førespurnader som liknar på ein CAPTCHA. Men i staden for å måtte gjere arbeidet sjølv, får nettlesaren din ei utrekningsoppgåve som han må løyse for å sikre at han er ein gyldig klient. Dette konseptet blir kalla <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Arbeidsbevis</a>. Oppgåva blir rekna ut på nokre få sekund, og du får tilgang til nettstaden. Takk for di forståing og tålmod."
-}
+}
--- a/test/cmd/httpdebug/main.go
+++ b/test/cmd/httpdebug/main.go
@@ -1,25 +0,0 @@
-package main
-
-import (
-	"flag"
-	"fmt"
-	"log"
-	"log/slog"
-	"net/http"
-)
-
-var (
-	bind = flag.String("bind", ":3923", "TCP port to bind to")
-)
-
-func main() {
-	flag.Parse()
-
-	slog.Info("listening", "url", "http://localhost"+*bind)
-	log.Fatal(http.ListenAndServe(*bind, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		slog.Info("got request", "method", r.Method, "path", r.RequestURI)
-
-		fmt.Fprintln(w, r.Method, r.RequestURI)
-		r.Header.Write(w)
-	})))
-}
--- a/test/double_slash/anubis.yaml
+++ b/test/double_slash/anubis.yaml
@@ -1,8 +0,0 @@
-bots:
-  - name: challenge
-    user_agent_regex: CHALLENGE
-    action: CHALLENGE
-
-status_codes:
-  CHALLENGE: 200
-  DENY: 403
--- a/test/double_slash/input.txt
+++ b/test/double_slash/input.txt
@@ -1,178 +0,0 @@
-/wiki//bin
-/wiki//boot
-/wiki//dev
-/wiki//dev/de
-/wiki//dev/en
-/wiki//dev/en-ca
-/wiki//dev/es
-/wiki//dev/fr
-/wiki//dev/hr
-/wiki//dev/hu
-/wiki//dev/it
-/wiki//dev/ja
-/wiki//dev/ko
-/wiki//dev/pl
-/wiki//dev/pt-br
-/wiki//dev/ro
-/wiki//dev/ru
-/wiki//dev/sv
-/wiki//dev/uk
-/wiki//dev/zh-cn
-/wiki//etc
-/wiki//etc/conf.d
-/wiki//etc/env.d
-/wiki//etc/fstab
-/wiki//etc/fstab/de
-/wiki//etc/fstab/en
-/wiki//etc/fstab/es
-/wiki//etc/fstab/fr
-/wiki//etc/fstab/hu
-/wiki//etc/fstab/it
-/wiki//etc/fstab/ja
-/wiki//etc/fstab/ko
-/wiki//etc/fstab/ru
-/wiki//etc/fstab/sv
-/wiki//etc/fstab/uk
-/wiki//etc/fstab/zh-cn
-/wiki//etc/hosts
-/wiki//etc/local.d
-/wiki//etc/make.conf
-/wiki//etc/portage
-/wiki//etc/portage/bashrc
-/wiki//etc/portage/Bashrc
-/wiki//etc/portage/binrepos.conf
-/wiki//etc/portage/binrepos.conf/en
-/wiki//etc/portage/binrepos.conf/hu
-/wiki//etc/portage/binrepos.conf/ja
-/wiki//etc/portage/binrepos.conf/ru
-/wiki//etc/portage/categories
-/wiki//etc/portage/color.map
-/wiki//etc/portage/env
-/wiki//etc/portage/img/ico.png
-/wiki//etc/portage/license_groups
-/wiki//etc/portage/make.conf
-/wiki//etc/portage/make.conf/de
-/wiki//etc/portage/make.conf/de/etc/portage/make.conf
-/wiki//etc/portage/make.conf/en
-/wiki//etc/portage/make.conf/es
-/wiki//etc/portage/make.conf/fr
-/wiki//etc/portage/make.conf/hu
-/wiki//etc/portage/make.conf/it
-/wiki//etc/portage/make.conf/it/var/db/repos/gentoo/licenses
-/wiki//etc/portage/make.conf/ja
-/wiki//etc/portage/make.conf/pl
-/wiki//etc/portage/make.conf/ru
-/wiki//etc/portage/make.conf/uk
-/wiki//etc/portage/make.conf/zh-cn
-/wiki//etc/portage/make.profile
-/wiki//etc/portage/mirrors
-/wiki//etc/portage/modules
-/wiki//etc/portage/package.accept_keywords
-/wiki//etc/portage/package.env
-/wiki//etc/portage/package.license
-/wiki//etc/portage/package.license/en
-/wiki//etc/portage/package.license/es
-/wiki//etc/portage/package.license/hu
-/wiki//etc/portage/package.license/ja
-/wiki//etc/portage/package.mask
-/wiki//etc/portage/package.mask/en
-/wiki//etc/portage/package.mask/hu
-/wiki//etc/portage/package.mask/ja
-/wiki//etc/portage/package.properties
-/wiki//etc/portage/package.unmask
-/wiki//etc/portage/package.use
-/wiki//etc/portage/package.use/de
-/wiki//etc/portage/package.use/en
-/wiki//etc/portage/package.use/es
-/wiki//etc/portage/package.use/fr
-/wiki//etc/portage/package.use/hu
-/wiki//etc/portage/package.use/it
-/wiki//etc/portage/package.use/ja
-/wiki//etc/portage/package.use/ru
-/wiki//etc/portage/package.use/uk
-/wiki//etc/portage/package.use/zh-cn
-/wiki//etc/portage/patches
-/wiki//etc/portage/profile/make.defaults
-/wiki//etc/portage/profile/package.provided
-/wiki//etc/portage/profile/package.provided/etc/portage/profile/package.provided
-/wiki//etc/portage/profile/package.provided/etc/portage/profiles/package.provided
-/wiki//etc/portage/profile/package.use.mask
-/wiki//etc/portage/profiles/package.provided
-/wiki//etc/portage/profiles/package.use.mask
-/wiki//etc/portage/profiles/package.use.mask/etc/portage/profile/package.use.mask
-/wiki//etc/portage/profiles/package.use.mask/etc/portage/profiles/package.use.mask
-/wiki//etc/portage/profiles/use.mask
-/wiki//etc/portage/profile/use.mask
-/wiki//etc/portage/repos.conf
-/wiki//etc/portage/repos.conf/brother-overlay.conf
-/wiki//etc/portage/repos.conf/de
-/wiki//etc/portage/repos.conf/en
-/wiki//etc/portage/repos.conf/es
-/wiki//etc/portage/repos.conf/etc/portage/repos.conf/gentoo.conf
-/wiki//etc/portage/repos.conf/fr
-/wiki//etc/portage/repos.conf/fr/etc/portage/repos.conf/gentoo.conf
-/wiki//etc/portage/repos.conf/gentoo.conf
-/wiki//etc/portage/repos.conf/gentoo.conf/etc/portage/repos.conf/gentoo.conf
-/wiki//etc/portage/repos.conf/hr
-/wiki//etc/portage/repos.conf/hu
-/wiki//etc/portage/repos.conf/it
-/wiki//etc/portage/repos.conf/ja
-/wiki//etc/portage/repos.conf/ko
-/wiki//etc/portage/repos.conf/pl
-/wiki//etc/portage/repos.conf/pt-br
-/wiki//etc/portage/repos.conf/ru
-/wiki//etc/portage/repos.conf/uk
-/wiki//etc/portage/repos.conf/zh-cn
-/wiki//etc/portage/savedconfig
-/wiki//etc/portage/sets
-/wiki//etc/profile
-/wiki//etc/profile.env
-/wiki//etc/sandbox.conf
-/wiki//home
-/wiki//lib
-/wiki//lib64
-/wiki//media
-/wiki//mnt
-/wiki//opt
-/wiki//proc
-/wiki//proc/config.gz
-/wiki//run
-/wiki//sbin
-/wiki//srv
-/wiki//sys
-/wiki//tmp
-/wiki//usr
-/wiki//usr/bin
-/wiki//usr_move
-/wiki//usr/portage
-/wiki//usr/portage/distfiles
-/wiki//usr/portage/licenses
-/wiki//usr/portage/metadata
-/wiki//usr/portage/metadata/md5-cache
-/wiki//usr/portage/metadata/md5-cache/usr/portage/metadata/md5-cache
-/wiki//usr/portage/metadata/md5-cache/var/db/repos/gentoo//metadata/md5-cache
-/wiki//usr/portage/packages
-/wiki//usr/portage/profiles
-/wiki//usr/portage/profiles/license_groups
-/wiki//usr/portage/profiles/license_groups/usr/portage/profiles/license_groups
-/wiki//usr/portage/profiles/license_groups/var/db/repos/gentoo//profiles/license_groups
-/wiki//usr/share/doc/
-/wiki//var/cache/binpkgs
-/wiki//var/cache/distfiles
-/wiki//var/db/pkg
-/wiki//var/db/pkg%22
-/wiki//var/db/repos/gentoo
-/wiki//var/db/repos/gentoo/licenses
-/wiki//var/db/repos/gentoo/licenses/var/db/repos/gentoo//licenses
-/wiki//var/db/repos/gentoo/licenses/var/db/repos/gentoo/licenses
-/wiki//var/db/repos/gentoo/metadata
-/wiki//var/db/repos/gentoo/metadata/md5-cache
-/wiki//var/db/repos/gentoo/metadata/var/db/repos/gentoo//metadata
-/wiki//var/db/repos/gentoo/metadata/var/db/repos/gentoo/metadata
-/wiki//var/db/repos/gentoo/profiles
-/wiki//var/db/repos/gentoo/profiles/license_groups
-/wiki//var/db/repos/gentoo/profiles/package.mask
-/wiki//var/lib/portage
-/wiki//var/lib/portage/world
-/wiki//var/run
-/gcc-bugs/bug-122002-4@http.gcc.gnu.org%2Fbugzilla%2F/T/
--- a/test/double_slash/test.mjs
+++ b/test/double_slash/test.mjs
@@ -1,45 +0,0 @@
-import { createReadStream } from "fs";
-import { createInterface } from "readline";
-
-async function getPage(path) {
-  return fetch(`http://localhost:8923${path}`)
-    .then(resp => {
-      if (resp.status !== 200) {
-        throw new Error(`wanted status 200, got status: ${resp.status}`);
-      }
-      return resp;
-    })
-    .then(resp => resp.text());
-}
-
-(async () => {
-  const fin = createReadStream("input.txt");
-  const rl = createInterface({
-    input: fin,
-    crlfDelay: Infinity,
-  });
-
-  const resultSheet = {};
-
-  let failed = false;
-
-  for await (const line of rl) {
-    console.log(line);
-
-    const resp = await getPage(line);
-    resultSheet[line] = {
-      match: resp.includes(`GET ${line}`),
-      line: resp.split("\n")[0],
-    };
-  }
-
-  for (let [k, v] of Object.entries(resultSheet)) {
-    if (!v.match) {
-      failed = true;
-    }
-
-    console.debug({ path: k, results: v });
-  }
-
-  process.exit(failed ? 1 : 0);
-})();
--- a/test/double_slash/test.sh
+++ b/test/double_slash/test.sh
@@ -1,23 +0,0 @@
-#!/usr/bin/env bash
-
-set -euo pipefail
-
-function cleanup() {
-	pkill -P $$
-}
-
-trap cleanup EXIT SIGINT
-
-# Build static assets
-(cd ../.. && npm ci && npm run assets)
-
-go tool anubis --help 2>/dev/null || :
-
-go run ../cmd/httpdebug &
-
-go tool anubis \
-	--policy-fname ./anubis.yaml \
-	--use-remote-address \
-	--target=http://localhost:3923 &
-
-backoff-retry node ./test.mjs
--- a/test/double_slash/var/.gitignore
+++ b/test/double_slash/var/.gitignore
@@ -1,2 +0,0 @@
-*
-!.gitignore